In the digital age every leakage of personal data to unauthorized people can cause irreparable damage to an individual. That is why the members of youth organizations and people behind youth exchanges have an important task to protect sensitive data of their participants, especially when working with children. The protection of personal data is not just a moral, but also a legal obligation in accordance with the well known European Union law called The Genral Data Protection Regulation – GDPR.
This chapter is designed to equip you with basic knowledge on how to protect the data of participants of youth exchange projects and prevent any unautherized use of them. We will use GDPR as a reference point when guiding you through the steps of data protection, since this law applies not only to organizations registered in EU, but also to all legal entities which offer any paid or free goods and services to EU citizens.
We will start with the introduction to the concept of personal data. You need to know that there is no a deffinite list of what information are regarded as personal data, since it can be any information that directly or indirectly may lead to identification of an individual. The most common personal data that youth organizations work with are names, ID/Passport numbers, physical addresses, email addresses, phone numbers, bank account details, etc. Photos, videos and audio recordings can also be regarded as personal data if they can be used to identify a person
Lawfulness, fairness and transparency
Make sure that you always have a legal ground to process personal data
Make sure you use personal data within the boundaries of the legitimate purpose you want to achieve, e.g. selecting exchange participants
You have to inform data subjects for how long you will keep the data
Collect just the data you really need for your purpose
Make sure that the data you collect are correct
Integrity and confidentiality
You need to guarantee the safety of perosnal data
You are responsible for the state of implementation of data protection rules in your organization
In order for you to collect, proccess and store personal data you need to obtain a “permit” from the person whose data you need for the legitimate purposes of your work. That permit is called a consent and in order for it to be valid it has to be freely given, unambiguous, specific and based on informed decission of an individual. The person whose data you collect, a.k.a. the data subject, has a right to withdraw a consent at any moment, to request to be informed about your data processing principles or to demand for their data to be permanently deleted from your databases.
By obtaining the consent to collect, process and store the personal data you have satisfied just a portion of the GDPR prinicples and requirements regarding data protection. You will also need to respect these principles in your daily work in order to make your data processing practices safer.